New Variant of HawkEye Stealer Emerges

A new variant of HawkEye, a piece of malware used for keylogging and data theft, is being leveraged in ongoing malware distribution campaigns, Cisco’s Talos security researchers warn.

A malware kit marketed on underground forums for the past several years, HawkEye has been under active development since at least 2013. Its main purpose is to steal and exfiltrate sensitive information from applications.

In December 2018, the malware’s owner changed and a new variant emerged on hacking forums, namely HawkEye Reborn v9. Marketed as an "Advance Monitoring Solution," the threat is being sold through a licensing model and buyers are promised access to updates for specific periods of time.

A Terms of Service agreement is also provided, prohibiting buyers from using the software on systems without permission and from scanning its executables using antivirus programs, most likely in an attempt to prevent detection.

“Following these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts,” Talos notes.

Starting with the second half of 2018 and continuing into 2019, the HawkEye Reborn keylogger/stealer was observed in ongoing malicious email campaigns. Purporting to deliver invoices, bills of materials, order confirmations, and the like, the emails attempt to trick users into executing the malware.

The attackers employed malicious Microsoft Excel, RTF and DOC files as attachments for malware delivery. Some of the campaigns would use file-sharing platforms like Dropbox for hosting the documents rather than directly attaching them.

During their investigation, the security researchers discovered that the documents had similarities with previously analyzed Remcos Trojan attacks, including matching metadata and blurry documents to trick the user into enabling content.

Many of the servers hosting HawkEye are used to host other malicious binaries as well, and many contain open directory listings revealing they are used to deliver additional stealers, RATs, and other malware.

The delivery documents attempt to exploit Office vulnerabilities such as CVE-2017-11882 to drop a heavily obfuscated payload. The keylogger also packs anti-analysis features and can disable certain anti-virus programs.

The malware also steals passwords from browsers, FileZilla, Beyluxe Messenger, CoreFTP, and the video game Minecraft. The information is sent to the attacker’s email address, Talos discovered.

The threat uses MailPassView and WebBrowserPassView freeware tools from Nirsoft to steal web and email passwords.

“Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward,” Talos concludes.